feat(konnect): add DataPlaneClientCertificate reconciler

.golangci.yaml

@@ -151,3 +151,7 @@ issues:
       linters:
         - revive
       text: "exported: exported"
+    # Methods imported from the SDK do not use the camel case naming convention for DP and we have no control over it.
+    - linters:
+        - forbidigo
+      text: 'use of `.*(Create|Delete)Dataplane.+` forbidden because "Please use camel case'

.mockery.yaml

@@ -30,3 +30,4 @@ packages:
       KeysSDK:
       KeySetsSDK:
       SNIsSDK:
+      DataPlaneClientCertificatesSDK:

CHANGELOG.md

@@ -68,6 +68,8 @@
   [#646](https://github.com/Kong/gateway-operator/pull/646)
 - Add `KongKeySet` reconciler for Konnect KeySets.
   [#657](https://github.com/Kong/gateway-operator/pull/657)
+- Add `KongDataPlaneClientCertificate` reconciler for Konnect DataPlaneClientCertificates.
+  [#694](https://github.com/Kong/gateway-operator/pull/694)
 - The `DataPlaneKonnectExtension` CRD has been introduced. Such a CRD can be attached
   to a `DataPlane` via the extensions field to have a konnect-flavored `DataPlane`.
   [#453](https://github.com/Kong/gateway-operator/pull/453), [#578](https://github.com/Kong/gateway-operator/pull/578)

config/samples/konnect_kongdataplaneclientcertificate.yaml

@@ -0,0 +1,57 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.tech
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test1
+  namespace: default
+spec:
+  name: test1
+  labels:
+    app: test1
+    key1: test1
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongDataPlaneClientCertificate
+apiVersion: configuration.konghq.com/v1alpha1
+metadata:
+  name: dp-cert-1
+  namespace: default
+  annotations:
+    konghq.com/tags: "infra"
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test1
+  cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIDPTCCAiWgAwIBAgIUcNKAk2icWRJGwZ5QDpdSkkeF5kUwDQYJKoZIhvcNAQEL
+    BQAwLjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlLb25nIElu
+    Yy4wHhcNMjQwOTE5MDkwODEzWhcNMjkwOTE4MDkwODEzWjAuMQswCQYDVQQGEwJV
+    UzELMAkGA1UECAwCQ0ExEjAQBgNVBAoMCUtvbmcgSW5jLjCCASIwDQYJKoZIhvcN
+    AQEBBQADggEPADCCAQoCggEBAMvDhLM0vTw0QXmgE+sB6gvKx2PUWzvd2tRZoamH
+    h4RAxYRjgJsJe6WEeAk0tjWQqwAq0Y2MQioMCC4X+L13kpdtomI+4PKjBozg+iTd
+    ThyV0oQSVHHWzayUzcSODnGR524H9YxmkXV5ImrXwbEqXwiUESPVtjnf/ZzWS01v
+    gtbu4x3YW+z8kRoXOTpJHKcEoI90SU9F4yeuQsCtbJHeJZRqPr6Kz84ZuHsZ2MeU
+    os4j1GdMaH3dSysqFv6o1hJ2+6bsrE/ONiGtBb4+tyhivgf+u+ixQwqIERlEJzhI
+    z/csoAAnfMBY401j2NNUgPpwx5sTQdCz5aFDmanol5152M8CAwEAAaNTMFEwHQYD
+    VR0OBBYEFK2qd3oRF37acVvgfDeLakx66ioTMB8GA1UdIwQYMBaAFK2qd3oRF37a
+    cVvgfDeLakx66ioTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+    AAuul+rAztaueTpPIM63nrS4bSZsIatCgAQ5Pihm0+rZ+13BJk4K2GxkS+T0qkB5
+    34+F3eVhUB4cC+kVkWZrlEzD9BsJwWjnoJK+848znTg+ufTeaOQWslYNqFKjmy2k
+    K6NE7E6r+JLdNvafJzeDybSTXI1tCzDRWUdj5m+bgruX07B13KIJKrAweCTD1927
+    WvvfJYxsg8P7dYD9DPlcuOm22ggAaPPu4P/MsnApiq3kJEI/nSGSsboKyjBO2hcz
+    VF1CYr6Epfyw/47kwuJLCVHjlTgT4haOChW1S8rZILCLXfb8ukM/g3XVYIeEwzsr
+    KU74cm8lTFCdxlcXePbMdHc=
+    -----END CERTIFICATE-----

controller/konnect/constraints/constraints.go

@@ -30,7 +30,8 @@ type SupportedKonnectEntityType interface {
 		configurationv1alpha1.KongVault |
 		configurationv1alpha1.KongKey |
 		configurationv1alpha1.KongKeySet |
-		configurationv1alpha1.KongSNI
+		configurationv1alpha1.KongSNI |
+		configurationv1alpha1.KongDataPlaneClientCertificate
 	// TODO: add other types
 
 	GetTypeName() string

controller/konnect/index_kongdataplanecertificate.go

@@ -0,0 +1,32 @@
+package konnect
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
+)
+
+const (
+	// IndexFieldKongDataPlaneClientCertificateOnKonnectGatewayControlPlane is the index field for KongDataPlaneCertificate -> KonnectGatewayControlPlane.
+	IndexFieldKongDataPlaneClientCertificateOnKonnectGatewayControlPlane = "dataPlaneCertificateKonnectGatewayControlPlaneRef"
+)
+
+// IndexOptionsForKongDataPlaneCertificate returns required Index options for KongConsumer reconciler.
+func IndexOptionsForKongDataPlaneCertificate() []ReconciliationIndexOption {
+	return []ReconciliationIndexOption{
+		{
+			IndexObject:  &configurationv1alpha1.KongDataPlaneClientCertificate{},
+			IndexField:   IndexFieldKongDataPlaneClientCertificateOnKonnectGatewayControlPlane,
+			ExtractValue: kongDataPlaneCertificateReferencesKonnectGatewayControlPlane,
+		},
+	}
+}
+
+func kongDataPlaneCertificateReferencesKonnectGatewayControlPlane(object client.Object) []string {
+	dpCert, ok := object.(*configurationv1alpha1.KongDataPlaneClientCertificate)
+	if !ok {
+		return nil
+	}
+
+	return controlPlaneKonnectNamespacedRefAsSlice(dpCert)
+}

controller/konnect/ops/kongdataplanecertificate.go

@@ -0,0 +1,14 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectcomp "github.com/Kong/sdk-konnect-go/models/components"
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// DataPlaneClientCertificatesSDK is the interface for the DataPlaneClientCertificatesSDK.
+type DataPlaneClientCertificatesSDK interface {
+	CreateDataplaneCertificate(ctx context.Context, cpID string, dpReq *sdkkonnectcomp.DataPlaneClientCertificateRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateDataplaneCertificateResponse, error)
+	DeleteDataplaneCertificate(ctx context.Context, controlPlaneID string, certificateID string, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteDataplaneCertificateResponse, error)
+}

controller/konnect/ops/ops.go

@@ -88,10 +88,10 @@ func Create[
 		return e, createKeySet(ctx, sdk.GetKeySetsSDK(), ent)
 	case *configurationv1alpha1.KongSNI:
 		return e, createSNI(ctx, sdk.GetSNIsSDK(), ent)
-
+	case *configurationv1alpha1.KongDataPlaneClientCertificate:
+		return e, createKongDataPlaneClientCertificate(ctx, sdk.GetDataPlaneCertificatesSDK(), ent)
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
-
 	default:
 		return nil, fmt.Errorf("unsupported entity type %T", ent)
 	}
@@ -150,10 +150,10 @@ func Delete[
 		return deleteKeySet(ctx, sdk.GetKeySetsSDK(), ent)
 	case *configurationv1alpha1.KongSNI:
 		return deleteSNI(ctx, sdk.GetSNIsSDK(), ent)
-
+	case *configurationv1alpha1.KongDataPlaneClientCertificate:
+		return deleteKongDataPlaneClientCertificate(ctx, sdk.GetDataPlaneCertificatesSDK(), ent)
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
-
 	default:
 		return fmt.Errorf("unsupported entity type %T", ent)
 	}
@@ -257,7 +257,8 @@ func Update[
 		return ctrl.Result{}, updateKeySet(ctx, sdk.GetKeySetsSDK(), ent)
 	case *configurationv1alpha1.KongSNI:
 		return ctrl.Result{}, updateSNI(ctx, sdk.GetSNIsSDK(), ent)
-
+	case *configurationv1alpha1.KongDataPlaneClientCertificate:
+		return ctrl.Result{}, nil // DataPlaneCertificates are immutable.
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types